Building Identity Resilience
How will the EU’s Digital Operational Resiliency Act affect identity services?
Resilient Identity & Access Management
As the Digital Operational Resiliency Act (DORA) solidifies itself in the European Union’s risk management landscape, critical changes are underway in the run-up to the January 17th deadline. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems. This means that most (if not all) citizen services will require an identification layer and protection for citizen identity information (a primary component of IT services). Without the identity layer, the rest of the layers will lose availability even before they come into play.
Imagine trying to access a citizen service and the login page is unavailable or it serves up a disappointing message: We cannot find your user information. Clearly, we can’t cover all aspects of the EU’s regulation for ensuring resiliency for IT operations in a single blog. However, if you are a financial institution (broadly defined to include crypto, insurance, banks, crowdfunding, payments, account aggregators, investments, etc.) or an IT company supporting one of its essential functions, then you already have January 17, 2025 circled on your calendar (as noted in Article 64). And you’re well aware that you need to prepare for resiliency and security, especially since noncompliance can result in painful fines of up to 1% of daily revenue and even include a ban on conducting business within the EU.
If you need further proof that DORA encompasses Identity and Access Management (IAM), refer to Article 9.3, which requires Multi-Factor Authentication (MFA), Access Control and Confidentiality. The Broadcom IAM portfolio—which includes SiteMinder, VIP, API Gateway, and Privileged Access Management (PAM)—expertly delivers these business-critical capabilities to customers worldwide, Europe included. And even more good news: Article 15.3b specifies the need for Identity Governance Administration (IGA), which is covered by our robust Symantec IGA solution.
The key components of resilient IAM
So, you need resiliency at the identity layer. How can you achieve that? In a nutshell, you must first eliminate single points of failure, making the operation highly available in all segments. Once that’s achieved, you need to prepare for unforeseen events like temporary or permanent network failures, data center failures, storage failures and other resource dependency failures.
While that’s a simplified rundown of what it takes to boost IAM resiliency, we can take a closer look at user stores, authentication and authorization services, session services and identity services.
User stores. The most ubiquitous identity component used to be the user repository. Now, with zero identity fingerprint capabilities, it is not always the case, but let’s see how we can address resiliency for user stores. The standard for user stores used to be LDAP, with X.500 directories leading in high availability capabilities. The new standard in decoupled architectures is a SCIM-compliant repository.
Authentication and authentication services. Authentication needs to be in front of the protected areas of all IT services, and the availability of this service also relates to its security. In today's remote environments, strong authentication is the new normal. Ensuring high availability in the authentication process means providing security and offering the citizen an authentication choice, so they can authenticate in different circumstances. Authentication is prone to advanced attacks, so it needs to handle denial-of-service attempts, not only by having some extra capacity cushion but also by identifying and mitigating those attack vectors.
Session services. Authentication and session management in the new Zero Trust world are no longer one-time actions. Sophisticated protocols like Continuous Access Evaluation, where a session is continuously monitored and can be terminated at any time, are new players in the session management scene.
Identity services. Identity services that fulfill the citizen user lifecycle from inception to end, and address citizen-driven requests such as credential resets, need to be continuously available, as they are among the most important citizen services.
Resiliency—at enterprise scale
Taking a peek through the microscope at Broadcom software's DNA, you will find enterprise-level architectures at a large scale. The software is highly distributed and can be deployed without single points of failure in the backend, with multiple master support.
Furthermore, since Broadcom’s acquisition CA Technologies, the IAM software has undergone accelerated development and adoption of state-of-the-art technologies, including Kubernetes native support.
With resiliency baked in, Kubernetes:
- Handles authentication peaks and metrics-driven horizontal scalability.
- Supports no-downtime upgrades (or downgrades) using a rollover approach.
- Enables state watching for self-healing operations.
- Allows for software-defined virtual assets that can be constructed over highly available physical environments, such as storage, databases and networks.
- Prevents unforeseen circumstances like memory exhaustion on a pod by automatically disposing of it and spinning up replacement pods.
Innovation in action
With a constant eye on the horizon, we are bolstering our IAM solutions to offer you the most effective and efficient ways to protect your environment and ready you for the next threat.
Siteminder for Containers benefits from all the enterprise-level features of redundancy and high availability, plus the advantages of the Kubernetes infrastructure. Standard Siteminder already has the capability to replicate all its components and interact with replicated instances of surrounding components, such as user stores, web agents, and authentication systems, in a resilient manner. It can detect inactive instances and automatically fail over to the next instance in the list. Take a look at a typical Siteminder resilient architecture.
Symantec Directory is one of the most advanced implementations of an X.500 directory, allowing multi-master replication and large deployments that can be distributed geographically while maintaining integrity and performance. Explore a large sample deployment.
Symantec PAM merely requires a simple setup to enable the virtual appliances to be in high availability. This is not limited to two nodes, but can be configured in a master-slave multi-site approach that ensures resiliency to network and computing failures. Browse the documentation.
On top of that, Broadcom offers free solution deployment reviews (SDRs) to selected customers, enabling them to fine-tune and enhance further resiliency by adjusting some parameters for resilience.
Build resilience with Broadcom
Whether you’re a European-based organization preparing for the upcoming Jan. 17 deadline or you’re in another corner of the world, Broadcom offers the latest innovations and expertise you need to strengthen your IAM defenses. Explore our extensive IAM portfolio and discover how we can help build your resilience so you can handle the next threat, mandate, or unexpected change with confidence.
We encourage you to share your thoughts on your favorite social platform.